SQLite Forum

How do i submit a bug report

The "lemon" program converts a structured description of a grammar which has actions associated with specified grammar constructs into a C function which is able to parse an instance of the grammar and perform the actions corresponding to various constructs in that instance.

The C function so generated from SQLite's SQL grammar is used in SQLite to process SQL passed into the prepare_statement() APIs.

Of course, the grammar description which Lemon is called upon to convert into a parser when SQLite is built does not contain anything like what you or other "Security Researchers" devise to expose so-called vulnerabilities in the lemon parser generator.

If you really want to learn about lemon, you can peruse <u>[The Lemon Parser Generator](https://www.sqlite.org/lemon.html)</u> to your heart's content. This document can be found under "Lemon" in the [website keyword index](https://www.sqlite.org/keyword_index.html). I urge you to consult that index first when you have questions regarding SQLite. Much effort has gone into keeping the online docs current and accurate, so it should be your first source of answers. (And if something you cannot find there ought to be there, that is a fact worth bringing to the dev team's attention.)